![]() ![]() sbin/iptables -A INPUT -p tcp -m connlimit -connlimit-above 111 -j REJECT -reject-with tcp-reset sbin/iptables -t mangle -A PREROUTING -f -j DROP sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP # 6: Drop ICMP (you usually don't need this protocol) # sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP ![]() sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags ALL SYN,FIN,PSH,URG -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags ALL FIN,PSH,URG -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags ALL NONE -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags ALL ALL -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags ACK,PSH PSH -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags ACK,FIN FIN -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags ACK,URG URG -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags FIN,ACK FIN -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags FIN,RST FIN,RST -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags SYN,FIN SYN,FIN -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags SYN,RST SYN,RST -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags FIN,SYN FIN,SYN -j DROP sbin/iptables -t mangle -A PREROUTING -p tcp -tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP # 4: Block packets with bogus TCP flags # sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack -ctstate NEW -m tcpmss ! -mss 536:65535 -j DROP # 3: Drop SYN packets with suspicious MSS value # sbin/iptables -t mangle -A PREROUTING -p tcp ! -syn -m conntrack -ctstate NEW -j DROP # 2: Drop TCP packets that are new and are not SYN # sbin/iptables -t mangle -A PREROUTING -m conntrack -ctstate INVALID -j DROP ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |